Am I correct to assume that call to 18222E214 will be never executed?
sub rsp, 28h
mov byte ptr [rsp+27h], 0
mov al, [rsp+27h]
test al, 1
jz short loc_182C60C26
call loc_18222E214
This is from an obfuscated library I'm analyzing.
Later on in flow instructions just multiple
mov dword ptr [rsp+20h], 7D9EAD41h
mov eax, [rsp+20h]
mov dword ptr [rsp+20h], 4071AA37h
mov eax, [rsp+20h]
nop //
mov dword ptr [rsp+20h], 0D6C6C2CDh
mov eax, [rsp+20h]
// so on and so forth
Feels just like deadstore.
It shouldn't be. You're loading the value 0 into the al register. test al,1
sets the Sign, Zero, and Parity flags as though an and
instruction had been executed. If you do an and al,1
when al contains 0, the Zero flag is set.
In your example, the Zero flag will be set by the test
instruction, so the short jump will be taken and the call
instruction following the jz
will not be executed.
Since you edited your question to say that it looks like the branch is being taken, then it's likely that there's something you didn't catch. Possibilities:
mov al, [rsp+27h]
instruction.[rsp+27h]
after you put 0 in there, but before you load al
.loc_18222E214
.Can't solve your problem without more information.